ContentKeeper - Remote command execution and privilege escalation

2009-04-02 / 2009-04-03
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

aushack.com - Vulnerability Advisory ----------------------------------------------- Release Date: 03-Apr-2009 Software: ContentKeeper Technologies - ContentKeeper Web http://www.contentkeeper.com/ "ContentKeeper is an industry leading Internet content filter that allows organisations to monitor, manage, control & secure staff access to Internet resources." Versions affected: ContentKeeper 125.09 and below. Vulnerability discovered: Remote command execution and privilege escalation vulnerabilities. Vulnerability impact: High - Unauthenticated users with access to the management IP address of the device may execute commands remotely as the apache user. Furthermore, a privilege escalation vulnerability is present allowing for unauthenticated remote root compromise. Vulnerability information The appliance is administered by use of a web browser HTML based front end. The .htaccess file prohibits unauthenticated access to known HTML management pages, however other binaries, such as mimencode, are exposed. By sending a HTTP POST request, it is possible to write arbitrary data to a default file which has world read-write-execute permissions. It is then possible to send a HTTP GET request to the written file, to execute arbitrary commands remotely. It is also possible to use mimencode to conduct directory traversal style attacks, e.g. obtaining a mime encoded copy of '/etc/passwd'. In addition, the setuid root benetool available to the apache user contains an unsafe call to 'ps' and others, allowing for PATH manipulation for root escalation A Metasploit Framework Module is available in the trunk. Solution: Upgrade to 125.10 or above. References: aushack.com advisory http://www.aushack.com/200904-contentkeeper.txt Credit: Patrick Webster (patrick_at_aushack.com) Disclosure timeline: 10-Apr-2008 - Discovered during audit. 18-Jul-2008 - Vendor notified. 18-Jul-2008 - Vendor response. 25-Feb-2009 - Vendor confirmed patched version. 03-Apr-2009 - Public disclosure. EOF

References:

http://seclists.org/bugtraq/2009/Apr/0019.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top